BLOG

Spamhaus changes

A number of ESPs are reporting an increase in SBL listings of big, well known brands. InterestingSBLs seems to confirm this.

Just on the month of June I see tweets reporting SBL listings for: Disney (again, and again) AAA Michigan, NRCC, the Mitt Romney campaign, Macy’s (again) Facebook, Walmart Brazil, Safeway, Bacardi.

What happened? I think there are a number of reasons for an increase in SBL listings of well known brands.

The first is that botnets are rapidly becoming a solved problem. That’s not to say that they’ve gone away, or that we should stop being vigilant about the spam and malicious mail coming out of them, but that there are more and better tools to deal with botnets than there have been in the past. That means that the folks at Spamhaus can look at different classes of unsolicited email.

I believe Spamhaus has some new mail feeds that let them see mail they were previously not seeing. Anyone who has multiple email addresses can tell you that the type of spam that one address gets is often vastly different than the type of mail another email address gets. When dealing with spamtrap feeds, that means that there is unsolicited mail that isn’t seen by the feed. I know there are companies who claim to have lists of hundreds of thousands of spamtraps, and I don’t doubt that some enterprising spammers have discovered Spamhaus spamtraps in the past. Adding new feeds means that Spamhaus will see spam that they were previously missing due to their traps being compromised.

As well as bringing up new feeds, I suspect Spamhaus has better tools to mine the data. This means they can see patterns and problem senders in a clearer way and list those that meet the Spamhaus listing criteria.

I’m not saying the Spamhaus standards have changed. Spamhaus has always said they will list anyone sending unsolicited bulk email. But, as with many organizations what they could do was limited by the available resources. That resource allocation has changed and they can deal with more senders.

What does all this mean for senders? In a perfect world it wouldn’t mean anything. Senders would actually be sending mail only to people who had asked to receive it. Senders would have good list hygiene and pull off abandoned addresses long before they could be turned into spamtraps.

But we all know this isn’t a perfect world. There are a lot of senders that have lists with years of cruft on them. And not all of those addresses on the list actually opted-in to receive that mail. Many of those senders have good stats, decent opens, low unknown user rates, and low complaint rates. But that doesn’t mean there aren’t problems with the lists. And those hidden problems may mean that just because you haven’t had a Spamhaus listing in the past doesn’t mean there isn’t going to be one in your future. It means senders who want to avoid SBL listings need to pay attention to list hygiene and dead addresses. It means the source of addresses and their audit trail is even more important than ever.

Meanwhile, ESPs are struggling to cope with the ongoing and increasing SBL listings.

EDIT: Mickey attributes some of the increase in listings to Spamhaus being better able to detect appended lists.

3 comments

  1. Scam, Scam, Scam – Word to the Wise says

    [...] week I said that botnets were mostly a solved problem. I then spent a paragraph trying to explain I didn’t mean they were gone, but that we had a [...]

  2. Tara Natanson says

    There could be other reasons as well. I’ve noticed recently that one of my addresses goes through periods of being added to legit seeming single opt-in lists. In the few cases in which I’ve asked the ESP to track down how I got added they usually tell me it was added by an IP that also added hundreds of other addresses at the same time. So some *thing* is programmatically list poisoning legit Single opt-in businesses. Since we never find out the trap address in a spamhaus incident we would never be able to tell if one of their traps is getting signed up in this same manor. I’m not suggesting that SH traps really are getting added to senders lists, but it is something to think about.

  3. Cloudflare and Spamhaus – Word to the Wise says

    [...] Spamhaus has been the subject of a lot of discussion the last few weeks. I touched on this a little in June when I blogged that a number of large brands were getting SBL listings. [...]

Comment:

Your email address will not be published. Required fields are marked *

  • AOL compromise

    Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn't provided any information as of yet as to what is going on.4 Comments


  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


Archives